On Mon, Feb 27, 2012 at 09:40:46PM +0000, Dominic Hargreaves wrote: > Source: liblocale-hebrew-perl > Severity: normal > Version: 1.04-1 > User: [email protected] > Usertags: hardening-format-security hardening > > With hardening flags enabled, this package FTBFS: > > bidi.c: In function 'ShowInputTypes': > bidi.c:1237:5: error: format not a string literal and no format arguments > [-Werror=format-security] > bidi.c: In function 'ShowTypes': > bidi.c:1248:5: error: format not a string literal and no format arguments > [-Werror=format-security] > bidi.c: In function 'ShowLevels': > bidi.c:1259:5: error: format not a string literal and no format arguments > [-Werror=format-security] > cc1: some warnings being treated as errors
These functions are undocumented and not used by the module itself. They are apparently inherited from a "Sample Implementation of the Unicode Bidirectional Algorithm". While they are exported by the shared object /usr/lib/perl5/auto/Locale/Hebrew/Hebrew.so, it doesn't seem likely that anybody would use them. There are no reverse dependencies in Debian to check. Also, the functions don't seem to be actually vulnerable as CharFromTypes[] is a fixed array that doesn't contain the percent sign, and the format strings are made of from its elements. I don't claim to actually understand the stuff, though. Conclusion: no obvious security impact. -- Niko Tyni [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

